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Abstract 

We study the problem of generating a test sequence that achieves maximal coverage for a 
reactive system under test. We formulate the problem as a repeated game between the tester and 
the system, where the system state space is partitioned according to some coverage criterion and 
the objective of the tester is to maximize the set of partitions (or coverage goals) visited during 
the game. We show the complexity of the maximal coverage problem for non-deterministic 
systems is PSPACE-complete, but is NP-complete for deterministic systems. For the special 
case of non-deterministic systems with a re-initializing "reset" action, which represent running a 
new test input on a re-initialized system, we show that the complexity is again co-NP-complete. 
Our proof technique for reset games uses randomized testing strategies that circumvent the 
exponentially large memory requirement in the deterministic case. 

1 Introduction 

Code coverage is a common metric in software and hardware testing that measures the degree to 
which an implementation has been tested with respect to some criterion. In its simplest form, one 
starts with a model of the program, and a partition of the behaviors of the model into coverage 
goals [3J- A test is a sequence of inputs that determines a behavior of the program. The aim of 
testing is to explore as many coverage goals as possible, ideally as quickly as possible. In this paper, 
we give complexity results for several coverage problems. The problems are very basic in nature: 
they consist in deciding whether a certain level of coverage can be attained in a given system. It is 
thus somewhat surprising that the problems have not been considered previously in the literature. 

Finite-state directed graphs have been used as program models for test generation of reactive 
systems for a long time (see [Ml [6] for surveys) . A coverage goal is a partition of the states of the 
graph, and a test is a sequence of labels that determine a path in the graph. The maximal coverage 
test generation problem is to hit as many partitions as possible using a minimum number of tests. 
In the special case the partitions coincide with the states, the maximal coverage problem reduces to 
the Chinese postman problem for which there are efficient (polynomial time) algorithms [3- In this 
paper, we show that the maximal coverage problem becomes NP-complete for graphs with general 
partitions. We also distinguish between system complexity (the complexity of the problem in terms 
of the size of the graph) and the coverage complexity (the complexity of the problem in terms of 
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the number of coverage goals). Then, the problem is NLOGSPACE in the size of the graph (but 
that algorithm uses space polynomial in the number of propositions). 

We consider the special case where the graph has a special "reset" action that takes it back 
to the initial state. This corresponds in a testing setting to the case where the system can be re- 
initialized before running a test. In this case, the maximal coverage problem remains polynomial, 
even with general partitions. 

Directed graphs form a convenient representation for deterministic systems, in which all the 
choices are under the control of the tester. Testing of non-deterministic systems in which certain 
actions are controllable (under the control of the tester) and other actions are uncontrollable lead 
to game graphs [14]. A game graph is a directed labeled graph where the nodes are partitioned 
into tester- nodes and system- nodes, and while the tester can choose the next input at a tester 
node, the system non-deterministically chooses the next state at a system node. Then, the test 
generation problem is to generate a test set that achieves maximal coverage no matter how the 
system moves. For general game graphs, we show the complexity of the maximal coverage problem 
is PSPACE-complete. However, there is an algorithm that runs in time linear in the size of the game 
graph but exponential in the number of coverage goals. Again, the re-initializability assumption 
reduces the complexity of coverage: in case there is a re-initialization strategy of the tester from 
any system state, the maximal coverage problem for games is co-NP-complete. Dually, we show 
that the problem of whether it is possible to win a safety game while visiting fewer than a specified 
number of partitions is NP-complete. 

Finally, we consider the coverage problem in bounded time, consisting in checking whether a 
specified number of partitions can be visited in a pre-established number of steps. We show that 
the problem is NP-complete for graphs, and is PSPACE-complete for game graphs. 

Optimization problems arising out of test generation have been studied before in the context of 
both graphs and games [H [lOl [HI [5]. However, to the best of our knowledge, the complexities of 
the coverage problems studied here have escaped attention so far. 

While we develop our theory for the finite-state, discrete case, we can derive similar results 
for more general models, such as those incorporating incomplete information (the tester can only 
observe part of the system state) or timing. For timed systems modeled as timed automata, the 
maximal coverage problem is PSPACE-complete. For timed games as well as for (finite state) game 
graphs with incomplete information, the maximal coverage problem becomes EXPTIME-complete. 

2 Definitions 

In this section we define labeled graphs and labeled games, and then define the two decision problems 
of coverage, namely, maximal coverage problem and coverage with bounded time problem. We start 
with definition of graphs and games. 

Definition 1 (Labeled graphs) ^ labeled graph = {{V,E),Vin,f^P,.C) consists of the following 
component: 

1. A finite directed graph with vertex set V and edge set E; 

2. the initial vertex Vm; 

3. a finite set of atomic propositions AP; 
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4- a labeling function C that assigns to each vertex v the set C{v) of atomic propositions true at 
s. 

For technical convenience we will assume that for all vertices v , there exists u & V such that 
{v,u) G E, i.e., each vertex has at least one out-going edge. 

Paths in graphs and reachability. Given a labeled graph G, a path a; in ^ is a infinite sequence 
of vertices {vo,Vi,V2 ■ . .) starting from the initial vertex ■Uj„ (i.e., vq = Vin) such that for alH > 
we have (f j, Vj+i) £ E. A vertex Vi is reachable from Vin if there is a path u = {vq, vi,V2 . . .) in ^ 
and J > such that the vertex Vj in lo is the vertex Vj. 

Definition 2 (Labeled game graphs) A labeled game graph Q = {{V,E),{Vi,V2),Vin,f^P,jO-) 

consists of the components of a labeled graph along with a partition of the finite vertex set V 
into (1^1, V2). The vertices in Vi are player 1 vertices where player 1 chooses outgoing edges, and 
analogously, the vertices in V2 are player 2 vertices where player 2 chooses outgoing edges. Again 
for technical convenience we will assume that for all vertices v E V, there exists u G V such that 
{v,u) G E, i.e., each vertex has at least one out-going edge. 

Plays and strategies in games. A play in a game graph is a path in the underlying graph of the 
game. A strategy for a player in a game is a recipe to specify how to extend the prefix of a play. 
Formally, a strategy tti for player 1 is a function tti : V* ■ Vi ^ V that takes a finite sequence of 
vertices w ■ v ending in a player 1 vertex v, where w (^V* and v eVi, representing the history of the 
play so far, and specifies the next vertex tti{w-v) choosing an out-going edge (i.e., (v, tti{w-v)) G E. 
A strategy 112 ■ V* -¥2 ^ V is defined analogously. We denote by Hi and 112 the set of all strategies 
for player 1 and player 2, respectively. Given strategies tti and 7r2 for player 1 and player 2, there 
is a unique play (or a path) uj{vin,TTi,TT2) = {vo,vi,V2, ■ ■ ■ such that (a) vq = v^; (b) for all i >0, 
if Vi G Vi, then 7ri(t'o ■ vi . . . ■ Vi) = Vj+i; and if Vi G V2, then 7r2(t;o ■ vi . . . ■ Vi) = Vi+i. 

ControUably recurrent graphs and games. Along with general labeled graphs and games, 
we will also consider graphs and games that are controllably recurrent. A labeled graph Q is 
controllably recurrent if for every vertex Vi that is reachable from Vin, there is a path starting from 
Vi that reaches Vin. A labeled game graph Q is controllably recurrent if for every vertex Vi that is 
reachable from Vin in the underlying graph, there is a strategy vri for player 1 such that against 
all player 2 strategies 7r2, the path starting from Vi given the strategies tti and 1:2 reaches Vin- 
Controllable recurrence models the natural requirement that systems under test are re-initializable, 
that is, from any reachable state of the system, there is always a way to bring the system back to 
its initial state no matter how the system behaves. 

The maximal coverage problem. The maximal coverage problem asks whether at least m 
different propositions can be visited. Wc now define the problem formally for graphs and games. 
Given a path lo = {vo,vi,V2, . . •), let C{io) = [J-^QC{vi) be the set of propositions that appear in 
u. Given a labeled graph Q and < m < |AP|, tlie maximal coverage problem asks whether there 
is path LO such that \C{lo)\ > m. Given a labeled game graph Q and < m < |AP|, the maximal 
coverage problem asks whether player 1 can ensure that at least m propositions are visited, i.e., 
whether 

sup inf \C{Lj{Vin,1Tl,'K2))\>m. 

TTieHi T2en2 
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It may be noted that supj^^g^^ mf7r2en2 I'^('^(^m5 tti, 7r2))| > m iff there exists a player 1 strategy 
ttI such that for all player 2 strategics 7r| we have \C{uj{vin,iTl,TT2))\ > m. 

The maximal state coverage problem is the special case of the maximal coverage problem where 
AP = V and for each v e V we have jC{v) = {v}. That is, each state has its own label, and there 
are |F| singleton partitions. 

The coverage with bounded time problem. The coverage with bounded time problem asks 
whether at least m different propositions can be visited within /c-steps. We now define the problem 
formally for graphs and games. Given a path ui = {vq,vi,V2, ■ ■ ■) and > 0, we denote hy uj \ k the 
prefix of the path of length k + 1, i.e., co \ k = {vq, vi, . . . , Vk). Given a path u = {vq, vi,V2, ■ ■ ■) and 
A; > 0, we denote by jO,{uj \ k) = Uo<i<jk ^(^j)- Given a labeled graph Q and < m < |AP| and A; > 0, 
the coverage with bounded time problem asks whether there is path to such that \C{uj \ k)\ > m. 
Given a labeled game graph Q and < m < |AP|, the maximal coverage problem asks whether 
player 1 can ensure that at least m propositions are visited within fc-steps, i.e., whether 

sup inf \C,{uj{vin,'Ki.,'K2) \ k)\>m. 

TTlSni 7r26n2 

It may be noted that sup^r^eni inf7r2en2 |>C(a;(?;i„, tti, 7r2) t A;)| > m iff there exists a player 1 strategy 
TTjf such that for all player 2 strategies 7r| we have |£(a;(i;i„, Trjf, 7r|) \ k)\ > m. 

System-tester game. A system S = {Q, S, A, AP, £) consists of the following components: 

• A finite set Q of states with the starting state Qm- 

• A finite alphabet S of input letters. 

• A transition relation A C. Q x T, x Q. 

• A finite set of atomic propositions AP and a labeling function C that assigns to each state q 
the set of atomic propositions true at q. 

We consider total systems such that for all g € Q and o" G S, there exists q' (z Q such that 
{Qj q') G a. a system is deterministic if for all g G Q and a G S, there exists exactly one q' such 
that (g, a, q') G A. The tester selects an input letter at every stage and the system resolves the 
non-determinism in transition to choose the successor state. The goal of the tester is to visit as 
many different propositions as possible. The interaction between the system and the tester can be 
reduced to a labeled game graph Q = {(V, E), {Vi, V2), Vin, AP, C) as follows: 

• Vertices and partition. V = Q U Q x T,; Vi = Q and V2 = Q x S; and Vin = qin- 

• Edges. E = {{q, {q, a)) | g G Q, a G S} U {{{q, a),q') \ {q, a, q') G A}. 

• Labeling. C{q) = C{q) and jC,'{{q,a)) = C'{q). 

The coverage question for game between tester and system can be answered by answering the 
question in the game graph. Also observe that if the system is deterministic, then for all player 2 
vertices in the game graph, there is exactly one out-going edge, and hence the game can be reduced 
to a labeled graph. In this paper we will present all the results for the labeled graph and game 
model. All the upper bounds we provide follow also for the game between tester and system. All 
the lower bounds we present can also be easily adapted to the model of the game between system 
and tester. 
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3 The Complexity of Maximal Coverage Problems 



In this section we study the complexity of the maximal coverage problem. In subsection 13.11 we 
study the complexity for graphs, and in subsection 13.21 we study the complexity for game graphs. 

3.1 Graphs 

We first show that the maximal coverage problem for labeled graphs is NP-complete. 
Theorem 1 The maximal coverage problem for labeled graphs is NP-complete. 

Proof. The proof consists of two parts. We present them below. 

1. In NP. The maximal coverage problem is in NP can be proved as follows. Given a labeled 
game graph Q, let n = \V\. We show first that if there is a path uj in Q such that |jC(ci;)| > m, 
then there is a path oj' in G such that \jC{uj' \ m ■ n)\ > m. If w visits at least m propositions, 
and there is a cycle in uj that does not visit a new proposition that is already visited in the 
prefix, then the cycle segment can be removed from lo and still the resulting path visits m 
propositions. Hence if the answer to the maximal coverage problem is "Yes", then there is 
a path io' of length at most m ■ n that is a witness to the "Yes" answer. Since m < |AP|, it 
follows that the problem is in NP. 

2. NP-hardness. Now we show that the maximal coverage problem is NP-hard, and we present 
a reduction from the SAT-problem. Consider a SAT formula and let X = {xi,X2, ■ ■ ■ , Xn} 
be the set of variables and Ci, C2, . . . , Cm be the set of clauses. For a variable xj € X, let 

(a) T{xj) = {£ I Xj € Ci} be the set of indices of the set of clauses Ci that is satisfied if xj 
is set to be true; and 

(b) F{xj) = {£ I Xj G Ci} be the set of indices of the set of clauses Cg that is satisfied if xj 
is set to be false. 

Without loss of generality, we assume that T{xj) and F{xj) are non-empty for all 1 < j < n 
(this is because, for example, if F{xj) = 0, then we can set xj to be true and reduce the 
problem where the variable Xj is not present). For a finite set F C N of natural numbers, let 
max(F) and min(F) denote the maximum and minimum number of F, respectively, for an 
element f & F that is not the maximal element let next(/, F) denote the next highest element 
to / that belongs to F; i.e., (a) next(/, F) G F; (b) / < next(/, F); and (c) if j G F and / < j, 
then next(/, F) < j. We construct a labeled game graph as follows. We first present an 
intuitive description: there are states labeled xi,X2, ■ ■ ■ ,Xn, Xn+i, and all of them are labeled 
by a single proposition. The state is an absorbing state (state with a self- loop only), 

and all other Xi state has two successors. The starting is xi. In every state Xi given the right 
choice we visit in a line a set of states that are labeled by clauses that are true if Xi is true; 
and given the left choice we visit in a line a set of states that are labeled by clauses that are 
true if Xi is false; and then we move to state Xj+i. We now formally describe every component 
of the labeled graph ^* = ((F*, F*), t;f„, AP*, 
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Figure 1: The NP-hardness reduction in picture. 

(a) The set of vertices is 

= {xi\l<i<n + l} 

U {xj^i \ l<j<n,ie T{xj)} U {xj^i \1 <j <n,i e F{xj)}. 

There is a vertex for every variable, and a vertex Xn+i- There is a vertex Xj^i iff Ci G 
t(xj), and there is a vertex xj^i iff Cj G F{xj), 

(b) The set of edges is 

= {{Xn+l,Xn+l)} U {{Xj^ma,x(Ti^Xj)):Xj+i), (Xj,max(F(x,)) , a^j+l) \ < j < n} 
U {(.Tj,.T^-_min(T(a;,))), (a^i , %min(F(a;j )) ) I 1 < J < 

U {(a;j-i,Xj-_next(i,T(x,)) I 1 < i < n,z < max(T(xj))} 
U {(%i,Xj-_F(i,T(2;,)) I 1 < J < < max(F(a:j))}. 

We now explain the role if each set of edges. The first edge is the self-loop at Xn+i- 
The second set of edges specifies that from a;j,max(T(a;j)) the next vertex is Xj+i and 
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similarly, from Xj,max(F(a;j)) the next vertex is again Xj+i. The third set of edges specifies 
that from Xj there are two successors that are xj^t and Xj^i' where i = min(T(xj)) and 
i' = min(F(xj)). The final sets of edges specifies (a) to move in a line from a;j,min{T(xj)) 
to visit the clauses that are satisfied by setting Xj as true, and (b) to move in a line 
from Xj^F(T(a:j)) to visit the clauses that are satisfied by setting Xj as false. Fig [1] gives 
a pictorial view of the reduction. 

(c) The initial vertex is = xi. 

(d) AP* = {Ci, C2, ■ ■ ■ , Cm,X}, i.e., there is a proposition d for each clause Ci and there 
is a proposition X for all variables; 

(e) C^{xj) = X; i.e., every variable state is labeled by the proposition X; and we have 
C^{xj^i) = Ci and C^{xj^i) = Ci, i.e., each state Xj^i and Xj^i is labeled by the corre- 
sponding clause that is indexes. 

The number of states in is 0{n ■ m), and the reduction is polynomial in In this 
graph the maximal number of propositions visited is exactly equal to the maximal number 
of satisfiable clauses plus 1 (since along with the propositions for clauses the proposition X 
for all variables is always visited). The proof of the above claim is as follows. Given a path 
u) in we construct an assignment A for the variables as follows: if the choice at a vertex 
Xj is a^j then we set xj as true in A, else we set Xj as false. Hence if a path in 

visits a set P C AP* of r propositions, then the assignment A satisfies r — 1 clauses (namely, 
P \ {X}). Conversely, given an assignment A of the variables, we construct a path uj"^ in t/* 
as follows: if Xj is true in the assignment A, then the path u)^ chooses Xj^-aiin{T{xj)) Xj, 
otherwise, it chooses ^j,min(F(a;j)) at Xj. If A satisfies a set Q of r — 1 clauses, then uj"^ visits 
r + 1 propositions (namely, the set Q U {X} of propositions). Hence $ is satisfiable iff the 
answer to the maximal coverage problem with input and m + 1 is true. 

The desired result follows. I 

Hardness of approximation. We note that from the proof Theorem [1] it follows that the MAX- 
SAT problem (i.e., computing the maximal number of clauses satisfiable for a SAT formula) can be 
reduced to the problem of computing the exact number for the maximal coverage problem. From 
hardness of approximation of the MAX-SAT problem [4], it follows that the maximal coverage 
problem for labeled graphs is hard to approximate. 

Theorem 2 The maximal coverage problem for labeled graphs that are controllably recurrent can 
be decided in PTIME. 

Proof. To solve the maximal coverage problem for labeled graphs that are controllably recurrent, 
we compute the maximal strongly connected component C that Vin belongs to. Since the graph is 
controllably recurrent, all states that are reachable from Vin belong to C. Hence the answer to the 
maximal coverage problem is "Yes" iff | |J^g(^£(w)| > m. The result follows. I 

3.2 Game graphs 

Theorem 3 The maximal coverage problem for labeled game graphs is P SPACE- complete. 
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Proof. The proof consists of two parts. We present them below. 

1. In PSPACE. We argue that the maximal coverage problem for labeled game graph can be 
reduced to the coverage in bounded time problem. The reason is as follows: in a labeled 
game graph with n vertices, if player 1 can visit m propositions, then player 1 can visit m 
propositions within at most m ■ n steps; because player 1 can always play a strategy from 
the current position that visits a new proposition that is not visited and never needs to go 
through a cycle without visiting a new proposition unless the maximal coverage is achieved. 
Hence it follows that the maximal coverage problems for games reduces to the coverage in 
bounded time problem. The PSPACE inclusion will follow from the result of Theorem [7] 
where we show that the coverage in bounded time problem is in PSPACE. 

2. PSPACE-hardness. The maximal coverage problem for game graphs is PSPACE-complete, 
even if the underlying graph is strongly connected. The proof is a reduction from QBE 
(truth of quantified boolean formulas) that is known to be PSPACE-complete [12], and it is 
a modification of the reduction of Theorem [TJ Consider a QBE formula 

$ = 3xi.Vx2.3a;3 . . . 3x„.Ci A C2 A . . . Cm] 

defined on the set X = {xi, X2, ■ ■ ■ , Xn} of variables, and Ci, C2, . . . , Cm are the clauses of 
the formula. We apply the reduction of Theorem [T] with the following modification to obtain 
the labeled game graph Q^: the partition {Vi ,¥2) of is as follows. For a variable Xj if 
the quantifier before Xj is existential, then Xj £ V^^^* (i-e., for existentially quantified variable, 
player 1 chooses the out-going edges denoting whether to set the variable true or false); and 
for a variable Xj if the quantifier before Xj is universal, then Xj € V2 (i-e., for universally 
quantified variable, the opposing player 2 chooses the out-going edges denoting whether to 
set the variable true or false). The state Xn+i is a player 2 vertex, and all other vertex has 
an single out-going edges and can be player 1 state. Given this game graph we have <^ is true 
iff player 1 can ensure that all the propositions can be visited in Formally, let 11* and 
n* denote the set of all strategies for player 1 and player 2, respectively, in . Then $ is 
true iff sup^^gn* mi^^^YV^ |i2*(Li;(xi, vri, 7r2))| > m + 1. Observe that since Xn+i is a player 2 
state if we add an edge from Xn+i to xi, player 2 will never choose the edge Xn+i to xi (since 
the objective for player 2 is to minimize the coverage). However, adding the edge from Xn+i 
to xi makes the underlying graph strongly connected (i.e., the underlying graph of the game 
graph becomes controllably recurrent; but player 1 does not have a strategy to ensure that 
xi is reached, so the game is not controllably recurrent). 

The desired result follows. I 

Complexity of maximal coverage in controllably recurrent games. We will now con- 
sider maximal coverage in controllably recurrent games. Our analysis will use fixing memoryless 
randomized strategy for player 1, and fixing a memoryless randomized strategy in labeled game 
graph we get a labeled Markov decision process (MDP). A labeled MDP consists of the same 
components as a labeled game graph, and for vertices in Vi (which are randomized vertices in 
the MDP) the successors are chosen uniformly at random (i.e., player 1 does not have a proper 
choice of the successor but chooses all of them uniformly at random). Given a labeled game graph 
Q = {iy^E), (Vi, V2), Um, AP, £) we denote by Unif(t/) the MDP interpretation of Q where player 1 
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vertices chooses all successors uniformly at random. An end component in Unif(G) is a set U of 
vertices such that (i) U is strongly connected and (ii) U is player 1 closed, i.e., for all u & U OVi, 
for all u' such that {u, u') € E we have u' € U (in other words, for all player 1 vertices, all the 
out-going edges are contained in U). 

Lemma 1 Let Q be a labeled game graph and let Unif(^) be the MDP interpretation of Q. Then 
the following assertions hold. 

1. Let U be an end-component in \Jn\f{Q) with Vin e U. Then 
sup^iGRi infTraena TTi, 7r2))| < lUnGt/^WI- 

2. There exists an end-component U G Unif(^) with Vin G U such that |Uue[/^(^)l ^ 
sup^ieni infTTaena tti, 7r2))|. 

Proof. We prove both the claims below. 

1. If ?7 is an end-component in Unif(G), then consider a memoryless strategy 7r| for player 2, 
that for all vertices u E [/ n V2 , chooses a successor u' (such a successor exists since U is 
strongly connected). Since U is player 1 closed (i.e., for all player 1 out-going edges from U, 
the end-point is in U), it follows that for all strategies of player 1 , given the strategy 7r| for 
player 2, the vertices visited in a play is contained in U. The desired result follows. 

2. An optimal strategy vr^ for player 1 in ^ is as follows: 

(a) Let Zq = {v \ C{v) = C{vin)} and i = 0; 

(b) At iteration i, let Zi represents the set of propositions already visited. At iteration i, 
player 1 plays a strategy to reach a state in V\Zi (if such a strategy exists) , and then 
reaches back Vin (a strategy to reach back Vin always exists since the game is controllably 
recurrent) . 

(c) If a new proposition pi is visited at iteration i, then let Zi^i = ZiU {v V \ C{v) = pi}. 
Goto step (b) for i -|- 1 iteration with Zj+i. If no state 'm.V\Zi can be reached, then 
stop. 

The strategy tt^ is optimal, and let the above iteration stop with Z^ = Z* . Let X = V \ Z* , 
and let X* be the set of vertices such that player 1 can reach X. Let U* = V \ X*. Then 
Vin G U* and player 2 can ensure that from Vin the game can be confined to U*. Hence 
the following conditions must hold: (a) for all u G [/* Pi V2, there exists u' £ U* such that 
(u, u!) G E\ and (b) for aU u^U* r\Vi, for all u' such that {u, u') e E we have u' eU*. 
Consider the sub-graph G' where player 2 restricts itself to edges only in U*. A bottom 
maximal strongly connected component U C. U* in the sub-graph is an end-component in 
Unif(^), and we have 

I u £{u)\ < I u ^Hl < I U '^wi- 

ueu u&u* uez* 

It follows that [/ is a witness end-component to prove the result. 

The desired result follows. I 
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Theorem 4 The maximal coverage problem for labeled game graphs that are controallably recurrent 
is coNP- complete. 

Proof. We prove the following two claims to establish the result. 

1. In coNP. The fact that the problem is in coNP can be proved using Lemma [H Given 
a labeled game graph if the answer to the maximal coverage problem (i.e., whether 
sup^^gUi i^f7r2en2 l^('^(^m, TTi, 7r2))| > m) is NO, then by Lemma [H there exists an end- 
component U in Unif(^) such that |(J^g^>C(n)| < m. The witness end-component C/ is a 
polynomial witness and it can be guessed and verified in polynomial time. The verification 
that U is the correct witness is as follows: we check (a) U is strongly connected; (b) for all 
n G C/n Vi and for all u' such that {u, u') ^ E we have u' G U; and (c) | UueC/ < 
Hence the result follows. 

2. coNP hardness. We prove hardness using a reduction from the complement of the Vertex 
Cover problem. Given a graph G = {V,E), a set C/ C y is a vertex cover if for all edges 
e = (tti,U2) E we have either ui E J7 or n2 S U. Given a graph G whether there is 
a vertex cover U of size at most m (i.e., \U\ < m) is NP-complete [8]. We now present a 
reduction of the complement of the vertex cover problem to the maximal coverage problem in 
controallably recurrent games. Given a graph G = {V, E) we construct a labeled game graph 
Q as follows. Let the set E of edges be enumerated as {ei, 62, ... , e^}, i.e., there are £ edges. 
The labeled game graph Q = {{V,E), (Fi, I/2), ^m, AP, £) is as follows. 

(a) Vertex set and partition. The vertex set V is as follows: 

V = {v^n} UEU{e{\l<i<£,l<j<2}. 

All states in E are player 2 states, and the other states are player 1 states, i.e., V2 = E, 
and Vi = V\V2. 

(b) Edges. The set E of edges are as follows: 

E = {{v^n, ej) \ l<j<£} U {{ci, ei)\l<i<£,l<j <2} 
U{(e|,i;„) \ l<i<£,l<j <2}. 

Intuitively, the edges in the game graph are as follows: from the initial vertex Vin^ 
player 1 can choose any of the edges E E. For a vertex in V, player 2 can choose 
between two vertices ej and ef (which will eventually represent the two end-points of 
the edge e^). From vertices of the form ej and e?, for 1 < i < £, the next vertex is the 
initial vertex Vm- It follows that from all vertex the game always comes back to Vm and 
hence we have controllably recurrent game. 

(c) Propositions and labelling. AP = F U {$ | $ V}, i.e., there is a proposition for every 
vertex in V and a special proposition $. The vertex u and vertices in E are labeled 
by the special proposition $, i.e., C{vin) = $; and for all Cj E we have £(ej) = $. 
For a vertex e^, let Cj = (u[,u?), where uj,uf are vertices in V, then C{ej) = u\ and 
C{e1) = uf. Note that the above proposition assignment ensures that at every vertex 
that represents an edge, player 2 has the choices of vertices that form the end-points of 
the edge. 
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The following case analysis completes the proof. 

• Given a vertex cover U, consider a player 2 strategy, that at a vertex Cj G V, choose a 
successor such that C^el) £ U. The strategy for player 2 ensures that player 1 visits 
only propositions in [/ U {$}, i.e., at most \U\ + 1 propositions. 

• Consider a strategy for player 1 that from Vm visits all states ei,e2, ■ ■ ■ ,ee in order. 
Consider any counter-strategy for player 2 and let U C V be the set of propositions 
other than $ visited. Since all the edges are chosen, it follows that U is a vertex cover. 
Hence if all vertex cover in G is of size at least m, then player 1 can visit at least m + 1 
propositions. 

Hence there is a vertex cover in G of size at most m if and only if the answer to the maximal 
coverage problem in Q with m + 1 is NO. It follows that the maximal coverage problem in 
controllably recurrent games is coNP-hard. 

The desired result follows. I 

Complexity of minimal safety games. As a corollary of the proof of Theorem [5] we obtain a 
complexity result about minimal safety games. Given a labeled game graph Q and m, the minimal 
safety game problem asks, whether there exists a set U such that a player can confine the game in 
U and U contains at most m propositions. An easy consequence of the hardness proof of Theorem |4] 
is minimal safety games are NP-hard, and also it is easy to argue that minimal safety games are in 
NP. Hence we obtain that the minimal safety game problem is NP-complete. 

4 The Complexity of Coverage in Bounded Time Problem 

In this section we study the complexity of the coverage in bounded time problem. In subsection 14. II 
we study the complexity for graphs, and in subsection 14. 21 we study the complexity for game graphs. 

4.1 Graphs 

Theorem 5 The coverage in bounded time problem for both labeled graphs and controllably recur- 
rent labeled graphs is NP-complete. 

Proof. We prove the completeness result in two parts below. 

1. In NP. Given a labeled graph with n vertices, if there a path uj such that \C{uj \ k)\ > m, then 
there is path uj' such that \C{uj' \ m ■ n)\ > m. The above claim follows since any cycle that 
does not visit any new proposition can be omitted. Hence a path of length j = min(A;, m ■ n) 
can be guessed and it can be then checked in polynomial time if the path of length j visits 
at least m propositions. 

2. In NP-hard. We reduce the Hamiltonian-path (HAM-PATH) [8] problem to the coverage in 
bounded time problem for labeled graphs. Given a directed graph G = (V, E) and an initial 
vertex v, we consider the labeled graph Q with the directed graph G, with v as the initial 
state and AP = V and C{u) = u for all u G y, i.e., each vertex is labeled with an unique 
proposition. The answer to the coverage is bounded time with k = n and m = n, for n = |y| 
is "YES" iff there is a HAM-PATH in G starting from v. 
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The desired result follows. I 

Complexity in size of the graph. We now argue that the maximal coverage and the coverage 
in bounded time problem on labeled graphs can be solved in non-deterministic log-space in the size 
of the graph, and polynomial space in the size of the atomic propositions. Given a labeled graph Q, 
with n vertices, we argued in Theorem [T] that if m propositions can be visited, then there is a path of 
length at most m-n, that visits m propositions. The path of length m-n, can be visited, storing the 
current vertex, and guessing the next vertex, can checking the set of propositions already visited. 
Hence this can be achieved in non-deterministic log-space in the size of the graph, and polynomial 
space in the size of the proposition set. A similar argument holds for the coverage in bounded time 
problem. This gives us the following result. 

Theorem 6 Given a labeled graph Q = ({V,E),Vin,AP,C), the maximal coverage problem and the 
coverage in bounded time problem can be decided in NLOGSPACE in \V\ + \E\, and in PSPACE 
in |AP|. 

4.2 Game graphs 

Theorem 7 The coverage in bounded time problem for labeled game graphs is PSPACE-complete. 

Proof. We prove the following two cases to prove the result. 

1. PSPACE-hardness. It follows from the proof of Theorem [3] that the maximal coverage prob- 
lem for labeled game graphs reduces to the coverage in bounded time problem for labeled 
game graphs. Since the maximal coverage problem for labeled game graphs is PSPACE-hard 
(Theorem [3]), the result follows. 

2. In PSPACE. We say that an exploration game tree for a labeled game graph is a rooted, 
labeled tree which represents an unfolding of the graph. Every node a of the tree is labeled 
with a pair (u, 6), where t; is a node of the game graph, and h C AP is the set of propositions 
that have been visited in a branch leading from the root of the tree to a. The root of the 
tree is labeled with {vm, C{vin))- A tree with label {v,b) has one descendant for each u with 
{v, u) G E; the label of the descendant is (n, h U C{u)). 

In order to check if m different propositions can be visited within /c-steps, the PSPACE 
algorithm traverses the game tree in depth first order. Each branch is explored up to one of 
the two following conditions is met: (i) depth k is reached, or (ii) a node is reached, which 
has the same label as an ancestor in the tree. The bottom nodes, where conditions (i) or (ii) 
are met, are thus the leaves of the tree. In the course of the traversal, the algorithm computes 
in bottom-up fashion the value of the tree nodes. The value of a leaf node labeled {v, b) is 
For player-1 nodes, the value is the maximum of the values of the successors; for player-2 
nodes, the value is the minimum of the value of the successors. Thus, the value of a tree node 
a represents the minimum number of propositions that player 1 can ensure are visited, in the 
course of a play of the game that has followed a path from the root of the tree to a, and that 
can last at most k steps. The algorithm returns Yes if the value at the root is at least m, and 
no otherwise. 

To obtain the PSPACE bound, notice that if a node with label {v, b) is an ancestor of a node 
with label {v',b') in the tree, we have b Q b': thus, along a branch, the set of propositions 
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appearing in the labels increases monotonically. Between two increases, there can be at most 
1^1 nodes, due to the termination condition (ii). Thus, each branch needs to be traversed at 
most to depth 1 + |^| • (|AP| + 1), and the process requires only polynomial space. 

The result follows. I 

Theorem 8 The coverage in hounded time problem for labeled game graphs that are controllably 
recurrent is both NP-hard and coNP-hard, and can be decided in PSPACE. 

Proof. It follows from the (PSPACE-inclusion) argument of Theorem [3] that the maximal coverage 
problem for labeled game graphs that are controllably recurrent can be reduced to the coverage in 
bounded time problem for labeled game graphs that are controllably recurrent. Hence the coNP- 
hardness follows from Theorem [U and the NP-hardness follows from hardness in labeled graphs 
that are controllably recurrent (Theorem [5|) . The PSPACE-inclusion follows from the general case 
of labeled game graphs (Theorem [Tj). I 

Theorem [8] shows that for controllably recurrent game graphs, the coverage in bounded time 
problem is both NP-hard and coNP-hard, and can be decided in PSPACE. A tight complexity 
bound remains an open problem. 

Complexity in the size of the game. The maximal coverage problem can alternately be 
solved in time linear in the size of the game graph and exponential in the number of proposi- 
tions. Given a game graph G = ((y, £'), (Fl, V2), Wm, AP, £), construct the game graph G' = 
{{V',E'),{V{,Vr^),v'i^,AP,C') where V' = V x 2^^, {{v,h),{v' ,b')) G E' iff {v,v') G E and 
b' = bU£,{v'), Vi = {{v,b) \ V e Vi} for i G {1,2}, v',^ = (v^nXM), and /:'{v,b) = C'{v). 
Clearly, the size of the game graph G' is linear in G and exponential in AP. Now consider a reach- 
ability game on G' with the goal {(f,6) \ v &V and |6| > m\. Player-1 wins this game iff the 
maximal coverage problem is true for G and m propositions. Since a reachability game can be 
solved in time linear in the game, the result follows. A similar construction, where we addition- 
ally track the length of the game so far, shows that the maximal coverage problem with bounded 
time can be solved in time linear in the size of the game graph and exponential in the number of 
propositions. 

Theorem 9 Given a labeled game graph Q = {{V, E), (Vi, V2), i^m, AP, C) the maximal coverage and 
the coverage in bounded time problem can be solved in linear-time in 0{\V\ + \E\) and in exponential 
time in |AP|. 

5 Extensions 

Somewhat surprisingly, despite the central importance of graph coverage in system verification, 
several basic complexity questions have remained open. The basic setting of this paper on graphs 
and games can be extended in various directions, enabling the modeling of other system features. 
We mention two such directions. 
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Incomplete Information. So far, we have assumed that at each step, the tester has complete 
information about the state of the system under test. In practice, this may not be true, and 
the tester might be able to observe only a part of the state. This leads to graphs and games 
of imperfect information |13j . The maximal coverage and the coverage in bounded time problem 
for games of imperfect information can be solved in EXPTIME. The algorithm first constructs a 
perfect-information game graph by subset construction [13], and then run the algorithm of The- 
orem [9l that is linear in the size game graph and exponential in the number of propositions, on 
the perfect-information game graph. Thus, the complexity of this algorithm is EXPTIME. The 
reachability problem for imperfect-information games is already EXPTIME-hard [13], hence we 
obtain an optimal EXPTIME-complete complexity. 

Timed Systems. Second, while we have studied the problem in the discrete, finite-state setting, 
similar questions can be studied for timed systems modeled as timed automata [2] or timed game 
graphs [11]. Such problems would arise in the testing of real-time systems. We omit the standard 
definitions of timed automata and timed games. The maximal coverage problem for timed automata 
(respectively, timed games) takes as input a timed automaton T (respectively, a timed game T), 
with the locations labeled by a set AP of propositions, and a number m, and asks whether m 
different propositions can be visited. An algorithm for the maximal coverage problem for timed 
automata constructs the region graph of the automaton [2] and runs the algorithm of Theorem [6] 
on the labeled region graph. This gives us a PSPACE algorithm. Since the reachability problem for 
timed automata is PSPACE-hard, we obtain a PSPACE-complete complexity. Similar result holds 
for the coverage in bounded time problem for timed automata. Similarly, the maximal coverage and 
coverage in bounded time problem for timed games can be solved in exponential time by running 
the algorithm of Theorem [9] on the region game graph. This gives an exponential time algorithm. 
Again, since game reachability on timed games is EXPTIME-hard [9], we obtain that maximal 
coverage and coverage in bounded time in timed games is EXPTIME-complete. 
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